CHIPS Articles: DoD CIO Terry Halvorsen Discusses DoD IT Way Forward

As DoD CIO, Mr. Halvorsen is the principal advisor to the Secretary of Defense for Information Management/Information Technology and Information Assurance as well as non-intelligence space systems; critical satellite communications, navigation, and timing programs; spectrum; and telecommunications. He provides strategy, leadership and guidance to create a unified information management and technology vision for the DoD and to ensure the delivery of information technology (IT)-based capabilities required to support the broad set of department missions.

In August, Mr. Halvorsen launched a bold new plan for DoD IT modernization priorities that is designed to manage the fast-paced information technology environment and capture the latest IT innovations that offer previously unimagined opportunities for the warfighter.

The policy guide, DoD Information Technology Environment Way Forward to Tomorrow’s Strategic Landscape, identifies eight goals to ensure the DoD IT environment will be built to meet the missions of today and support the strategic direction of tomorrow. They include:

CHIPS magazine staff asked Mr. Halvorsen to discuss these strategic goals for DoD’s IT environment in December.

Q: Can you talk about the concept of the Joint Information Environment (JIE) and how the military services are advancing its development?

A: A seamless, transparent IT infrastructure that transforms data into actionable information and ensures dependable mission execution in the face of the persistent cyber threat is vital in today’s IT environment. This IT and cyber infrastructure is the strategic outcome of the JIE vision.

One thing that is important to understand about the JIE is that it will always be changing. We will have the JIE architecture fielded, and completely sealed as an architecture baseline. But it won’t be the same baseline in 2019. We’ve already modernized the JIE baseline architecture — known as the Joint Regional Security Stacks (JRSS) — and made changes to some of the software. Because of the pace of change for both the threat and the technology, the JIE is built to be both more flexible and agile than the architectures and structures DoD had before. That recognizes that security, and frankly, the entire network, is greatly influenced by rapidly changing technologies.

The key point with JIE is yes, we are doing it, and I’ll give you an example. The Navy is onboard with JIE today with its excepted networks. Some people may have heard that the Navy is not onboard. The Navy is onboard, and when the Navy brings NGEN onboard, it won’t be bringing the same NGEN onboard, with say, the same toolset or capabilities that we rolled out with the Army in the first instance. JIE continues to mature, and it continues to develop new capabilities that are required as the threat keeps changing.

Q: Can you talk about the JIE’s capabilities?

A: Through the vision for a secure, streamlined IT and cyber infrastructure that we call JIE, we are pursuing specific IT capability concepts. This is a flexible, somewhat fluid, concept of IT through capabilities, and it is consistent with industry best practices, especially for expansive organizations with varied mission sets like DoD. I like to say that if DoD was in the Fortune 500, we would be at the top of the list, and all of the Services — including the Navy — would also each be up there.

To enable the JIE vision, DoD is pursing specific and discrete IT capacity initiatives that will result in the comprehensive modernization of the IT infrastructure that supports our entire enterprise. And we are also making sure that all of our IT supports our DoD workforce while upgrading our IT backbone.

First and foremost of these discrete initiatives is JRSS. The stacks have been my top priority since I first started in this job. JRSS is normalizing network and transport, and standardizing IT security. We have made a lot of progress on JRSS, and our biggest problem right now is that too many users want to move onto the stacks too quickly.

These JIE capability initiatives will change over time, and this flexible approach is an important component of JIE. Right now JRSS is the top capability initiative we are pursuing toward JIE.

Q: How are you looking to establish more meaningful engagement with industry and mission partners?

A: We have done a series of things to establish more meaningful engagement with our industry and mission partners. We partnered with industry for our current cloud guidance. We set up a series of engagements, both virtual and live, where industry could give us their input as we were writing these documents on cloud. It turned out to be an incredible success with industry, and I believe, an incredible success for us. We produced documents that are actually living documents. I believe there will be more of this type of partnership in the future. The other thing we had to recognize with our documents is, unlike some other areas where I write policy guidance and instructions; the shelf-life of this is much shorter — again because of the pace of change and adaptability.

So working with industry to write the documents has been significant. We have also started some new programs. We always had a program that let us share military personnel with industry. We have expanded that, and now I am putting civilians out to work in industry. I am also taking industry people and placing them within the DoD; there are some of them on my staff, and in the Army, and in the Navy, and the Air Force. We are looking to expand that program this coming year with even more exchange between the department and industry. (For more information on the IT Exchange Program, please visit: http://dodcio.defense.gov/In-the-News/Information-Technology-Exchange-Program/)

We are increasing the number of industry engagements and expanding the breadth and depth of what we bring to the table for them. This summer, for instance, I took a team out to Silicon Valley that actually included, beside the normal DoD players, the CIOs or their representatives from the Five Eyes partners (Australia, Canada, New Zealand, the United Kingdom and the United States), plus Germany, Japan and NATO.

In February, and this is more enterprise focused, we are having a special meeting of the Five Eyes group, where we are inviting Germany, Japan and NATO. Dr. John Zangardi, my deputy, will look to schedule a trip to the East Coast this spring, again with the CIOs from the Military Departments, and also from two of our foreign partners, to meet with current industry partners that are big in IT and cyber. They will also meet with some emerging companies.

We continue to reach out. We have started tweeting to engage with industry using more modern communication techniques. (Check out the DoD CIO on Twitter @DoD_CIO !)

Q: When you engage with industry — do you just go to hear about their new technologies — or do you bring specific problems that require a solution?

A: The answer to that question is yes, and I’ll expand on that. Sometimes, we will go out and just want to get a sense of the history of what’s been done and to ask industry to give us updates.

Other times, we bring specific problems to industry. A good example of this relates to my announcement that I want to get DoD off of the smartcards, CAC cards, in two years. In support of that, we have put out some very specific industry initiatives working through the DIUx (Defense Innovation Unit Experimental) in California to find some of the specific things that industry is doing for security that do not involve a smartcard or some other type of hardware token.

I have been exceptionally happy with the initial results. We are looking to pilot some of those technologies in the coming year.

So we will do both — we will get general updates, but sometimes we will put out specific problems and statements. Another thing we’ll do to signal where we need help from industry, and this year we did it in a humorous way, is that I will explain the capabilities I want. This year I put out, ‘What I want for Christmas,’ in a couple of speeches. I’ll say, ‘What I really want is the capability in a very small form-factor device to be able to do cellular, wireless and radio communications — all in the same form-factor.’

Based on the technology today, I think industry could deliver on that.

Q: We’ve talked about the Common Access Card replacement. Can you be more specific in the solutions that you looked at?

A: I don’t want to say anything that could be considered pre-decisional, but this is what I will tell you about some of the things we have in mind. We want a multifactor authentication solution that we will review to grant access to networks and data. Multifactor could be 10 to 15 factors. We want to randomize which of those factors we are using on any given day. So let’s say you have 10 factors, we could have more, but I’ll say 10, and we decide we are going to use five of those to access data and access the network on a particular day.

Those five would keep changing, so not only would an adversary have to break all of the factors we are using — and they will be a combination of biometric, behavioral, some personal data, all combined — the adversary would also have to figure out which ones we were using that day to grant access.

I want all of those in a way that will not rely on an issued smart card or token. That all has an infrastructure cost to it, and it is hard to do that in some of the remote places we go — or in combat — or a very tense operating environment. It’s hard to take that infrastructure with you. So in the future what I see is factors based on biometric, personal data, or behavior on the network, which means how a user actually does things on the network, because some of that is very unique.

I probably will never actually identify all the actual things we are doing and what technologies we are using because that would be very useful information to anybody who wanted to try to attack them.

Q: What do the military services and the Defense Information Systems Agency (DISA) need to do to ensure mission execution in the face of cyber warfare by capable adversaries?

A: We’ve already talked about some of this, like getting DoD off of the smartcard, and we do continual threat assessments both within DoD and with industry. We have an active program with industry to share the data they’re seeing and the data we’re seeing. (For more information on the Defense Industrial Base Cybersecurity (DIB CS) Program, please visit: http://dibnet.dod.mil/.)

We are flexible, as I said; we have changed some of the JRSS configurations and software to better respond based on the new cyber threats we see. We have continuous dialogue on the next set of security capabilities that we want to have.

So we are engaging with industry to always find something better. In addition, we are sharing this data with our Five Eyes partners and our allies, so we are getting a worldwide view of security and where the threats are and where they have adapted. They [adversaries] change their tactics, so we have to change something on the network. It is an area where we are constantly feeding and evaluating data.

Q: The Defense Department and DISA have been working to deploy a cloud computing environment for the department. Can you talk about any roadblocks that have been encountered and the progress being made?

A: I want to start out by saying a couple things that are important to our cloud adoption. We are not specifically an information technology business. We are in the business of war and, more importantly, DoD is in just about every business you can think of. We’re in the retail business, we’re in the shipping and logistics business, and we’re in personnel and pay, and the finance business. So part of the path has been trying to adapt cloud where it made sense for all those different business models.

And the second one, very candidly, has been cultural change in DoD. It’s a different model; people did not understand it. I will use the word ‘distributed-compute,’ instead of the word cloud, because that’s really what it is. It’s distributing your compute and storage capability to a wider range of data storage options, instead of a set of servers that you can go and see.

Besides the cultural and different business models, there were also some contractual issues. In cloud, many times, you are contracting for a service; you are not buying hardware and software. That’s a little different, and it took us a while to get that right.

We are getting it right, though, and I think it’s worth saying, that if you look at non-IT companies, we are not way behind, as some people will say. We are actually a little bit ahead of the average big non-IT company in moving to cloud, and I think that adoption will accelerate.

Last year, we signed a contract that will allow us to do everything from a purely government cloud to a purely private cloud — and many variations in between. What I said from the beginning is that DoD is so big that we will need almost every type of cloud configuration you can think of. So we have what I’ll call the two pure options, which are private and government cloud. And then we also will have hybrid models in between.

So, we have contracts now where we have commercial vendors coming onboard using government spaces and some government equipment to deliver cloud in a combination of government and contractor. We are doing the command and control of our data in the cloud. So we are doing all those variations, and we now have contracts that actually adapt to all those variations. So I think you will see more cloud, or distributed compute, develop in the next 18 months.

Q: Is this effort mostly for the Army and Air Force?

A: No, this is for everybody. The Navy had the first cloud solution. They were the first ones to go to a big commercial cloud solution. Army, Air Force, Coast Guard, most everyone in the DoD family, is in some form of cloud. You will see it even move more as we develop our business and security rules and learn how to put the right security in distributed compute.

Certainly, we would agree with most people who said distributed compute, or cloud, has an overall opportunity to improve security, but it did present new security challenges that we had to figure out. We have now done that, so I think you will see the cloud opportunity and cloud acceptance expand at a faster rate than it has in the last three years. You’ll see us be able to expand and move faster on cloud than we have over the next three years.

Q: According to the “DoD IT Environment – Way Forward to Tomorrow’s Strategic Landscape,” the plan is to optimize the Defense Department’s data center infrastructure. By the first quarter of 2017, a high-level team, made up of DoD CIO personnel and experts from the military services, will conduct site visits at the Department’s 25 most expensive data centers. Can you provide an update on the team’s work so far?

A: Right now, we have established a team, and it is led by the DoD CIO with participation from all the Services at a technical level. That team is going out and reviewing data centers at certain locations where data centers were concentrated. They have just come back, but I can’t tell you where they have come back from. They are developing a plan that will consolidate data centers in an area where there were 10 data centers to maybe two or one data center. That, we believe, is a good way forward.

The team is using proven business models, techniques, and reviews that industry would use to account for data center usage, costs, and other factors that drive data centers. For example, are they located near a major internet hub so they have the bandwidth to transmit data? We will take the results, and hear the recommendations about which data centers we should consolidate and where that data should go, and then we will make a business case informed by mission on how to consolidate data centers.

You will see some updates from the team on this later this winter.

Q: Transition to Windows 10 is an opportunity to refresh and modernize networks and reduce legacy systems and applications. Are there cost-savings and other advantages associated with the Win 10 migration?

A: Yes, when coupled with the movement to JRSS — these are the two most important things that we are doing with respect to the overall operation of DoD information systems. There are advantages in upgrading to Windows 10, but more importantly, there are great mission gains that will lead to more benefits.

The emphasis on the transition to Windows 10 is around mission gains and improved security, and the ability to take security and apply the right risk equation. One of the things that moving to a common operating system does is it gives us the ability to standardize our network structures. I don’t think we’ll get to 100 percent standardization, but I also don’t think we actually want that; there is power in diversity.

Within DoD, we have overcapitalized, on what I would call — the diversity of goodness. We have more systems and more variations of systems than are good for us. So I would say the first thing it’s going to do is remove some complexity from the DoD networks by moving to a common operating system.

Complexity is probably our biggest problem; it keeps us from adopting some of the better business techniques — both for mission and security. So I would say that moving to a common operating system will reduce our attack surfaces, there will be less configuration and fewer differences to defend. There will be some differences, and we want that for diversity’s sake. But there will be a conscious decision to have diversity. Today, it has been more of an evolved situation, than it was conscious decisions about where to be diverse.

We want less diversity; we will put most of the department’s major networks on Windows 10. It’s not about Windows 10, as much as it is about many operating systems doing the same thing — a standard solution.

Because today — and that doesn’t mean we will continue — we are predominantly a Windows, Microsoft-based organization. That does not mean we would stay with Windows-based systems — that’s today. And I stress that this is today’s environment.

One of the most critical factors to look at, and one of the hardest things to understand about the environment, is the rate of change, the pace of change. So that’s for today, that could change if we had another major technology breakthrough or a new threat that was able to attack us in different ways. So we will continue with that today, it was the right decision to do.

It also limits, from a complexity sense, the number of things that we train people on, because we will have more standard configurations — and that solution is also being adopted by many of our partners. You may be aware that the U.K. is going to a Microsoft cloud, and they will also, at some point, transition to Windows 10, along with some of their other allies. This will give us an ability to both share data quicker, and in a better variety of ways, share it more securely.

Q: What are some of the ways in which the Defense Department will simplify its IT infrastructure and networks to better serve its vast number of users?

A: Common operating systems, coupled with JRSS, are the two biggest things we are doing that will actually help simplify the IT infrastructure and networks. This lets us both collapse firewalls, collapse the number of what I call points on the network, and it also lets us better see what’s on the network.

Sometimes our problem with the network, because of all the variations, is that it’s actually hard for people and commands that need to see all the parts of our network in the detail they need to make it secure, but also understand what risk decisions we need to take on the network.

So transitioning to a single operating system, coupled with deploying JRSS, in a single security architecture are the two main things we are doing to simplify our structure, both our physical and virtual structure, which will get us to a less complex environment.

Q: The Defense Department IT budget was more than $36 billion in fiscal year 2015. Can you talk about how the DoD will improve the oversight, execution and transparency of its IT investments?

A: Yes, we’ve already done some things to improve transparency. We’ve actually added cost codes to the budget. For a specific example, in the past, we didn’t have a cost code to track the money we were spending on data centers; we have one now. We also now have cost codes that track the costs of different types of software and that account for different types of hardware. Those are some of the mechanical things we are doing.

In addition to doing that, with respect to DISA, DISA is a service that still charges for a service, we have increased the transparency. We are holding many more meetings with the Services, which are in this case, the customers, to explain to them how DISA establishes its rates. We’ve opened the opportunities inside of DISA for the Services to basically control their rates and more. In the last three years we have actually reduced DISA rates, and that has been influenced by what the Services are willing to do and how they look at that.

We are being more transparent in our guidance to both the Services and DISA about what needs to be done and what the priorities are — and probably the key word there is transparency. We are sharing, making available our cost data more than we have in the past. We are spending time explaining that data to customers at all levels.

A good example is how DISA is evolving its business processes to build more transparency into Defense Information Systems Network (DISN) services, allowing both the agency and its mission partners to generate efficiencies by ensuring that mission partners can order services in the amounts that they actually need and plan to use. DISA published two big changes to DISN business processes for fiscal year 2017.

First, starting this fiscal year, each mission partner or organization must pay for their consumption of DISN services. This is a change from previous guidance that required a location’s lead mission partner to pay for all DISN services consumed and billed at that location. That alleviated co-located mission partners from any financial responsibility for their portion of the DISN services that were consumed. DISN services are also offered as separate, or ‘a la carte,’ offerings. This provides mission partners with increased control in determining which services they truly need and are willing to pay for. Until this fiscal year, costs for both DISN infrastructure and end-user services were bundled together.

In fiscal year 2017, DISN infrastructure and end user service rates were published in 2016. As mission partners adjust to new business processes, DISA is working with them to ensure that they have a clear understanding of their anticipated usage as well as the true costs of each service. Over the next three years, DISA plans to continue revising DISN costs to reflect actual mission partner usage and provide accurate reimbursement of Defense Working Capital Fund (DWCF) costs.

Q: Is there anything else that you would like to talk about?

A: As I look to the future, there are a couple things that I think people at DoD really need to focus on. One of those is continued partnership with industry and our allies. I don’t think you can overstress that.

I would say that the way we partner with industry has certainly been one of the keys to the nation’s advantages in the IT/cyber area. I think improving those advantages, is in fact, one of the key elements that in many ways you might say, is our ‘secret weapon.’ Our ability to partner with industry faster and more effectively, and to bring newer capabilities to bear faster, has been one of our secrets to success, and it actually holds promise to be an even bigger component to our success.

Couple that with better involvement from our allies. So, as an example, we are working with a set of allies, the Five Eyes and, as I mentioned, the plus two (Japan and Germany), to come to agreement on some security standards and identity standards that will make it easier for us to share data and bring our partners onto our networks, and for us to get on their networks in a way that lets the right data be shared while also ensuring that data we don’t want to share is well-protected. This effort, known as the Mission Partner Environment?Information System, or MPE-IS, will be a key advantage to our mission partners in the coming years. I think that will help us maintain some key advantages over the threats we face.

I think continued transparency on the budget and dollars, while we have been somewhat successful … It’s not just about saving money, some of it is better management of our money, redistributing some of that money to critical warfare areas. I don’t think that job is done, and I think we will need to continue to focus on ways to apply the best commercial business practices within DoD.

Now there is a caveat that we are not a business, so we do have to figure out what that means for missions, but I don’t think those two things are incompatible. I think often there are things we can do to improve the mission by applying business practices and obtaining cost savings.

In my opinion, we’re about to enter an age in IT and cyber where there will be an increased ability to improve mission and reduce cost. We will really have to ensure that, within the DoD, we are staying on top of that, and asking ourselves continual questions about whether this is the best we can do as we see new technologies and techniques, and integrating and justifying new technologies and capabilities.

I think there is potential for DoD to get much more effective and efficient in its IT and cyber spending, and use that money to improve other areas. You could transfer that money to other parts of the department that are focused on activities that I’ll call, ‘tip of the spear.’ You can then take some of that money and further improve end security, without having to spend more money.

Editor’s Note: Mr. Halvorsen announced his retirement from government in January. He plans to retire by Feb. 28 with 37 years in government service.